Based on Logstash+Zabbix4.4 to do host login failure monitoring alarm

Environmental preparation and instructions:

Logstatsh version: 7.10.1 Log analysis and filtering, collect and process the log information sent by the client host filebeat, and then forward it to the zabbix server

Zabbix version: 4.4 (use MySQL as the database by default)

Host environment description: CentOS7.x

Filbeat version: 7.10.1, collect the login log information of the client host, mainly the file /var/log/secure

Show results

Deployment and configuration

How to install Zabbix Server installation and deployment process is not demonstrated here, if you need to refer to other documents

1. Install Logstatsh on the host where the Zabbix server is located (the process is omitted, focusing on the configuration)

2. Configure Logstatsh and install Zabbix input plugin

#在线安装如果安装比较慢，可以考虑用离线安装的方式，下面附有离线包
$ bin/logstash-plugin install logstash-output-zabbix
#插件离线安装
$ bin/logstash-plugin install file:///root/logstash-output-zabbix.zip

离线包链接：https://share.weiyun.com/5cBP60be 密码：xet8eq

$ cat /etc/logstash/conf.d/host-login-log.conf 
input {
    beats {
        host => "0.0.0.0"
        port => "5044"
        #codec => "json"
    }

}
#定义过滤模块
filter {
#定义zabbix_key ，需与zabbix中监控项的键值一致
#定义zabbix_host，zabbix server name
mutate {
  #host-login 是logstatsh处理完数据后添加的一个key，这个key在下面Zabbix配置需要用到
  add_field => ["[@metadata][zabbix_key]","host-login"]
  add_field => ["[@metadata][zabbix_host]","zabbix-ops"]
  #引用字段合并成新字段
  add_field => ["new_message","主机信息: %{[host][hostname]}(%{[host][ip]}) - 登录日志: %{message}"]
 }
}
output {
    #stdout { codec => rubydebug }
    #输出插件为zabbix
    # zabbix_host  引用filter模块定义的zabbix_host值
    # zabbix_server_host zabbix_server服务的host
    # zabbix_server_port zabbix_server服务的端口，默认10051
    # zabbix_key  引用filter模块定义的zabbix_key值
    # zabbix_value 输出zabbix数据字段的名称，默认message
    zabbix {
      zabbix_host => "[@metadata][zabbix_host]"
      zabbix_server_host => "10.2.6.204"
      zabbix_server_port => "10051"
      zabbix_key => "[@metadata][zabbix_key]"
      zabbix_value => "new_message"
    }
}

3. Install the Filebeat client on the client host (the process is omitted, focusing on the configuration)

In fact, it can be the host where Zabbix Agent is located, or it can be a machine where only Filebeat is deployed

4. Configure Filebeat

$ vim filebeat.yml
filebeat.inputs:
- type: log
  # Change to true to enable this input configuration.
  enabled: true
  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/secure #CentOS7登录会话日志在这个文件下，CentOS6 也适用
    #- c:\programdata\elasticsearch\logs\*
  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']
  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  include_lines: ['Failed password'] #只收集登录错误的日志
....